[Icecast] SSL Setup
José Luis Artuch
artuch at speedy.com.ar
Fri Jul 21 16:41:30 UTC 2017
El lun, 10-07-2017 a las 09:31 +0000, Philipp Schafft escribió:
> Good morning,
> On Mon, 2017-07-10 at 01:25 +0000, ScanCaster wrote:
> > IceCast is one of the last services I have that doesn't connect
> > securely,
> > and I am looking to close that hole....
> > [...]
> > OK... add a port for SSL for IceCast in icecast.xml...path for cert
> > file
> > in same.... no biggie
> The <ssl-certificate> belongs in the <paths> section of the config
> (I'm not sure what you mean with 'in same', just wanted to make it
> > The key/cert needs to be in a dir and file with applicable
> > permissions
> > for the IceCast user... no biggie..
> > chown icecastusergroup:icecastusergroup certfile
> > What I am looking to confirm is that the cert file needs to
> > contain:
> > -----BEGIN RSA PRIVATE KEY-----
> > MII
> > -----END RSA PRIVATE KEY-----
> > -----BEGIN CERTIFICATE-----
> > MI
> > -----END CERTIFICATE-----
> > Where the Cert is the file/text Comodo sends me, and the key is the
> > one
> > openssl spit out earlier,
> > Combine them up in certfile, Correct? Special order?? KEY then
> > Cert, or v-
> > v? Line separating them?
> The format is the OpenSSL format: key, blank line, cert (chain).
> echo | cat key.pem - cert.pem > combo.pem
> > kill -HUP pidOfIcecast
> As of Icecast2 2.4.x you need to restart Icecast to reload the cert.
> There is however a fix in 2.5.x (development) which is hopefully
> released with the next development update.
> > And good????
> > One thing can the web server spit out just a text file that is used
> > by
> > Comodo to verify ownership of the domain? The DNS method normally
> > fails....
> Sure. Just put it into the webroot (<webroot> in <paths>). Icecast
> handles files in webroot according to your operating system's mine-
On Debian 9, in the configuration file it says:
What should be the correct path of the icecast.pem file ?.
Should it be /usr/share/icecast2/web/icecast.pem ?.
> > ie: http://icecast.domain.invalid/somestringofletersnumbers.txt
> > That they
> > request if its dumped in the webroot stuff of Icecast? With out any
> > XSLT
> > markup?
> Icecast only processes XSLT files as XSLT.
> > So if I added a listening port on 80 for this, then took it away,
> > since I don't use that for Icecast... Icecast is on its own server
> > which
> > does not have Apache... web stuff for other things is on its own
> > box. I
> > never have used the Icecast to server up anything other than the
> > default
> > admin etc. stuff it does by default...
> To avoid the need to run Icecast as privileged user in oder to bind
> low ports (if Comodo really insists in using port 80) you can use
> firewall to do a local redirect.
> Hope this is of help to you,
> with best regards,
> Icecast mailing list
> Icecast at xiph.org
More information about the Icecast